Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add header #64

Merged
merged 4 commits into from
Jan 29, 2024
Merged

Add header #64

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
61e0025
Added header description
tulshi Jan 23, 2024
de88238
updated section name to fix error
tulshi Jan 23, 2024
9bcb665
incorporated George's feedback
tulshi Jan 25, 2024
73b34be
removed token format line from header section
tulshi Jan 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions draft-ietf-oauth-transaction-tokens.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ contributor:

normative:
RFC2119: # Keywords
RFC2616: # HTTP
RFC4648: # Encoding
RFC8446: # TLS
RFC6749: #OAuth
RFC7519: #JWT
Expand Down Expand Up @@ -451,6 +453,12 @@ A Txn-Token Service MUST ensure that it authenticates any workloads requesting T

The requesting workload MUST have a pre-configured location for the Transaction Token Service. It SHOULD rely on mechanisms, such as {{Spiffe}}, to securely authenticate the Transaction Token Service before making a Txn-Token Request.

# Using Txn-Tokens
Txn-Tokens need to be communicated between workloads that depend upon them to authorize the request. Such workloads will often present HTTP {{RFC2616}} interfaces for being invoked by other workloads. This section specifies the HTTP header the invoking workload MUST use to communicate the Txn-Token to the invoked workload, when the invoked workload presents an HTTP interface. Note that the standard HTTP `Authorization` header MUST NOT be used because that may be used by the workloads to communicate channel authorization.

## Txn-Token HTTP Header
A workload that invokes another workload using HTTP and needs to present a Txn-Token to the invoked workload MUST use the HTTP Header `Txn-Token` to communicate the Txn-Token. The value of this header MUST be the JWT that represents the Txn-Token.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to (or should we) say anything about the encoding of the JWT?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the language to specify the encoding. However, I feel like this might be redundant.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See notes of call on 1/26. We have decided to drop the line about the format.


# Security Considerations {#Security}

## Txn-Token Lifetime
Expand Down